Prevent Assistant Admins From Setting the Trust this computer for delegation Flag on a Computer Obje (NETIQKB5765)

  • 7705765
  • 02-Feb-2007
  • 19-Jun-2007


How to Prevent Assistant Admins From Setting the Trust computer for delegation Flag on a Computer Object

Directory and Resource Administrator 6.x


The Automation feature in DRA can be used to prevent Assistant Admins from checking the Trust computer for delegation (Trusted for Delegation) flag on a computer object. At this time, t here is no individual power in Directory and Resource Administrator that permits setting the flag. 


A pre-task trigger can be configured so that, when an Assistant Admin checks Trust computer for delegation on a computer object, DRA will display a customized error message and will prevent the change from taking place.

To configure the pre-task trigger, launch the MMC interface while logged on as an Assistant Admin with, at minimum, the Built-in Configuration role and perform the following steps:

  1. Expand the Policy and Automation management snap-in node.
  2. Select Automation Triggers.
  3. Click New.
  4. Click Browse and select ComputerSetInfo in the Associate to operation field.
  5. Select the Pre-Task radio button
  6. Click Next
  7. Select the ActiveViews and Assistant Admins over which the policy should be enforced. 
  8. Click Next.
  9. Select the Script radio button.
  10. Enter the path to the script file (e.g: C:\Program Files\NetIQ\DRA\Scripts\TrustedForDelegation.vbs) in the DO file path.
  11. Click Next.
  12. Click Next.
  13. Specify a name for this trigger.
  14. Click Finish.

Once these steps have been performed, an Assistant Admin whose actions  this policy enforces will receive an error message after selecting the Trust computer for Delegation flag and clicking Finish.


A sample script called TrustedForDelegation.vbs can be obtained from the DRA Knowledge Depot.

For more information on the Trust this computer for delegation flag, please refer to Microsoft Knowledge Base article Q283201

Additional Information

Formerly known as NETIQKB5765